Splunk ITSI
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Missing index firedalerts (used by app DA-ITSI-CP-unix-dashboards)

corti77
Contributor
‎08-20-2021 02:24 AM

After the installation of IT Essential Works, I started to received the following alert

 

Received event for unconfigured/disabled/deleted index=firedalerts with source="source::fired_alerts" host="host::XXXXXXXXXX" sourcetype="sourcetype::stash". So far received events from 1 missing index(es).

 

I decided to created the index manually and after a day I saw a few events coming in and digging a bit I found out that they seem to come from the saved search called fired_alerts that is part of the App DA-ITSI-CP-unix-dashboards, which I don't have it enabled. (!). I only enabled the Exchange content.

corti77_1-1629451302518.png

which query is

 

| rest /services/search/jobs | search [search index=_audit action=alert_fired | fields sid] | collect index=firedalerts

 

is this normal? why the index was not created automatically by ITSI?

Labels (3)
Reply

linhmai_bne
Path Finder
‎12-07-2021 08:05 PM

- SSH to search head.

- Go to app folder location .../etc/app/<name>/default

- Open savedsearches.conf

- Copy search query using that index

- Add that search savedsearches.conf in ../etc/app/<name>/local

- Add disabled = 1

- Restart

That is how I solved it by disabling the search query.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...